The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

tracking activity to IP address

Discussion in 'Security' started by ne0shell, Jan 6, 2012.

  1. ne0shell

    ne0shell Well-Known Member

    Joined:
    Oct 9, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    I've run into an issue I can't remember seeing before, not sure if it's just because it hasn't happened or if something is configured badly.

    I have a cloudlinux / cpanel server w/ clients on dedicated IPs.
    Someone is running attack scripts of some kind but the complaints all show the primary IP on the server. Running IPTraf, only eth0 and the primary IP shows up.

    Is there a setting / work around to force connections to use the account IP vs. the host IP?
     
  2. minosjl

    minosjl Well-Known Member

    Joined:
    Jun 4, 2011
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    hi,

    Did you enabled the shell access for your cPanel accounts ? and what kind of compliant you are getting.
     
  3. ne0shell

    ne0shell Well-Known Member

    Joined:
    Oct 9, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    No, SSH is disabled for the client accounts. The complaints are for web (php) vulnerability attacks. e107 BBCode Arbitrary PHP Code Execution and timthumb.php arbitrary upload vulnerability. The reports are coming from multiple targets and they all report my server's primary IP as the attacker rather than my client's dedicated IPs. (I have no shared IP hosting accounts on the server, only dedicated IP accounts).

    I don't understand how my primary IP is being detected other than all traffic is actually routing through it.
     
  4. ne0shell

    ne0shell Well-Known Member

    Joined:
    Oct 9, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Is there any way to get cPanel staff to assist on an issue? I'm continuing to get complaints and cannot track down which user is doing this. All the connections are still showing up as going through my servers primary IP rather than reporting the actual IP of the client responsible. I'm completely lost on how to solve this one.
     
  5. rporto

    rporto Member

    Joined:
    Jan 29, 2004
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    0
    I have the same problem, here. I'm receiving several complains that reports offending activity originated in my primary IP, wich is not used for hosting. Basically they are more of the same bellow:

    | Attacker's IP | Timestamp (Pacific Time) | Targeted Server | Attack ID | Attack Information |
    | xx.xx.xx.xx | 2012-02-05 00:22:39 | triangulum.dreamhost.com | 21876625 | timthumb.php arbitrary upload vulnerability |

    I searched the server for timthumb.php or thumb.php without success. I have no idea whatsoever to what to look for.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page